Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract public and private IP addresses fields separately

cs308
Loves-to-Learn
‎08-02-2025 04:26 AM

I have trouble with getting public and private IP addresses fields separately. How can I extract private and public IP addresses fields separately using regex???  Because, when I extract IP field from failed ssh login log, I get both public and private  fields in same filed, therefore I want extract them in different fields.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-02-2025 11:28 AM

1. Don't think about it like that. If a field in your data is - let's say - the source of the connection, it is that source regardless of whether it is a public IP or a private one. You can filter on that field later.

2. Even if you tried doing that it will not be pretty using regex alone.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2025 12:01 PM

@PickleRick I think the point is that @cs308 wants to be able to determine if an IP address is private or not. Yes, the regex may not be pretty, but it is doable (about 135 characters for a version that detects private ip addresses, and about 150 characters for a version that detects non-private ip addresses). As I said, this depends on what the definition of private is and how robust the expression needs to be.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2025 04:59 AM

Please share what you have tried so far and some anonymised sample events that you are working with.

Also, is this ipv4 only?

In general, ipv4 private addresses fall into distinct groups, is it that you want to use these groups to determine which sort of address it is? If so, which groups do you want to treat as private? For example: 127.x.x.x, 192.168.x.x, etc?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...